Transit Swap, a multichain decentralized exchange aggregator, lost roughly $23 million after a hacker exploited an internal bug on a swap contract. The cross-chain DEX yesterday revealed that the hacker took advantage of a bug in its code. Following the revelation, Transit Swap issued an apology to users with efforts to track down and recover the stolen funds currently underway.
The Transit Swap Exploit Agreement
On Oct. 10, the decentralized finance (DeFi) protocol Transit Swap announced that it had agreed with its most prominent hacker to return funds. Approximately one week prior, a hacker exploited an internal bug on a swap contract within the protocol and caused other individuals to imitate the security breach, leading to a loss of over $23 million in user funds.
“We are deeply sorry,” stated Transit Swap while revealing that a bug in the code allowed a hacker to make away with an estimated $23 million. Blockchain security firm PeckShield narrowed down the attack to a compatibility issue or misplaced trust in the swap contract. Many security companies helped search for the missing funds and track down the hacker.
“We now have much valid information, such as the hacker’s IP, email address, and associated on-chain addresses. We will try our best to track the hacker, communicate with the hacker, and help everyone recover their losses.”
However, the prominent hacker has since returned approximately 70% of exploited funds thanks to the help of security companies such as Peckshield, SlowMist, Bitrace, and TokenPocket. They quickly tracked down the hacker by identifying their IP address, email address, and associated-on chain addresses.
As per Oct. 10’s agreement, the hacker will return the remaining 10,000 BNB tokens, worth roughly $2.74 million, from the exploit in exchange for relief of all legal liabilities arising from the attack from Transit Swap’s side. In addition, the hacker will keep 2,500 BNB ($685,600) for his “white hat” efforts in uncovering the security vulnerability.
“A consensus has been reached between the biggest hacker and TransitFinance Official. The hacker will keep 2,500 BNB as a bonus and refund the users’ remaining 10,000 BNB” – Transit Swap.
The Transit Swap team has also set a deadline of Oct. 12 for two hacker imitators and one hacker arbitrageur to return the stolen funds. Afterward, developers threatened that “judicial actions” would be taken if funds were not returned.
At the beginning of the year, DeFi exploits were essentially a low-risk, high-reward endeavor thanks to user anonymity. Recently, the rise of blockchain analytic firms and forensic DeFi firms, coupled with a U.S. ban on crypto-mixer tools such as Tornado Cash, has made it harder for hackers to launder stolen funds. Instead, some have opted to return the funds and keep a portion of the exploited proceeds as a “bounty” for uncovering security vulnerabilities. DeFi exploits have been slowed down, and we hope to, one day, never have exploits on any DeFi platform.